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Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 
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• Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 

earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )□ Responsive to communication(s) filed on . 

2a)M This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) |3 Claim(s) 1-22 is/are pending in the application. 

4a) Of the above claim(s) 15 is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) S Claim(s) 7-74 and 16-22 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1 .121(d). 
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Priority under 35 U.S.C. §§119 and 120 
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a)Ex]AII b)D Some*c)D None of: 

1 Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 

13) D Acknowledgment is made of a claim for domestic priority under 35 U.S.C. § 119(e) (to a provisional application) 

since a specific reference was included in the first sentence of the specification or in an Application Data Sheet. 
37 CFR 1.78. 

a) □ The translation of the foreign language provisional application has been received. 

14) D Acknowledgment is made of a claim for domestic priority under 35 U.S.C. §§ 120 and/or 121 since a specific 

reference was included in the first sentence of the specification or in an Application Data Sheet. 37 CFR 1.78. 
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DETAILED ACTION 

Response to Amendment 

Applicant has amended claims 1-8, 9-10, 14, and 16 and canceled claim 15, and added new 
claims 20-22. Therefore claims 1-14 and 16-22 are now pending. 

Response to Arguments 

1 . Applicant's arguments filed November 3, 2003 have been fully considered but they are 
not persuasive. Applicant argues that the invention validates and stores a unique identifier for the 
client application of the user versus the client terminal of the user. Applicant has amended claims 
to teach "a method of operating an authenticating server system for authenticating a user of a 
client application provided on a client terminal. . .storing in the resource server authentication 
details including unique identifier for the client application of the user. . ." However it is the 
examiner's opinion that the subject matter presented in the amended claims is not present in the 
description of the invention and thus is rejected under 35 USC 1 12. 

Claim Rejections - 35 USC §112 

2. The following is a quotation of the first paragraph of 35 U.S.C. 1 12: 

The specification shall contain a written description of the invention, and of the manner and process of making 
and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it 
pertains, or with which it is most nearly connected, to make and use the same and shall set forth the best mode 
contemplated by the inventor of carrying out his invention. 
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3. Claims 1-14 and 16-22 rejected under 35 U.S.C. 112, first paragraph, as failing to comply 
with the written description requirement. The claim(s) contains subject matter which was not 
described in the specification in such a way as to reasonably convey to one skilled in the relevant 
art that the inventor(s), at the time the application was filed, had possession of the claimed 
invention. Applicant has amended claims to teach "a method of operating an authenticating 
server system for authenticating a user of a client application provided on a client 
terminal. . .storing in the resource server authentication details including unique identifier for the 
client application of the user. . ." The subject matter presented in the amended claims is not 
present in the description of the invention (page 2, lines 5-8, 12, and 15, page 7, lines 25-26, 
page 10, lines 25-30, page 12, lines 8-12, and page 13, lines 15-23). The specification states, 

. .method of operating an authenticating server system for authenticating users at client 
terminals connected via a data communications. ..issuing an identifier for the user's 
terminal . . . said identifier to be a validated identifier of a terminal ... an application server sends 
the application client a cookie containing in the 'NAME= VALUE' field an identifying tag for 
the user, referred to herein as an address token since it replaces the IP address as the means for 
identifying the user. . . the address token uniquely identifies the user terminal.". 

Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 
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2. Claims 1-4, 8-11, 13, 15-19 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
US. Patent No. 5,708,780 to Levergood et al. in view of Kirsch. 

Regarding claim 1 , Levergood et al. teaches a method of operating an authenticating 
server system for authenticating users at client terminals connected via a data communications 
network (column 3, lines 8-9), to control access to documents stored on a resource server, said 
method comprising performing the following steps in said server system: storing authentication 
details of authorized users (column 6, lines 61-63); receiving at the resource server 
authentication data for a user from a client terminal of the user, and validating at the resource 
server said authentication data by reference to said stored authentication details (column 3, lines 
25-26 and column 6, lines 58-60); and enabling said resource server to validate a request for said 
document from the client terminal of said user, which request includes said identifier, by 
checking that said stored access status includes said document (column 6, lines 58-65 and 
column 7, lines 51-53 and 63-67 and Fig.2B). 

Levergood et al. does not teach storing in the resource server authentication details and 
access status data of authorized users. Kirsch teaches storing in the resource server authentication 
details and access status data of authorized users; storing at the resource server (1) an identifier 
for the client terminal, the identifier indicating said terminal to be currently authenticated 
terminal; and (2) the access status of the user of the currently authenticated terminal (column 2, 
lines 34-37 and 42-46 and column 4, lines 51-54 and 58-64). Therefore, it would have been 
obvious to one having ordinary skill in the art at the time the invention was made to further 
modify the internet server access control and monitoring system of Levergood et al. by storing in 
the resource server authentication details and access status data of authorized users because this 
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provides added security in a efficient manner where the server can verify authentication by 
comparing client submitted identification with the stored access status data of the server. 

Regarding claim 2, Levergood et al. teaches a method according to claim 1, wherein said 
identifier is transmitted to said client terminal (column 3, lines 30-32). 

Levergood et al. does not teach the transmission of the identifier in a cookie. Kirsch 
teaches that said identifier is transmitted in a cookie to said user's client terminal (column 3, 
lines 14-16 and column 13, lines 11-13). Therefore, it would have been obvious to one having 
ordinary skill in the art at the time the invention was made to further modify the internet server 
access control and monitoring system of Levergood et al. by transmitting the identifier in a 
cookie because it is a more secure manner of storage and transport of identification data. 

Regarding claim 9, Levergood et al. teaches a method of operating an authenticating 
server system for authenticating users at client terminals connected via a data communications 
network (column 3, lines 8-9), to control access to a document stored on a resource server, said 
method comprising performing the following steps in said server system: storing authentication 
details of authorized users (column 6, lines 61-63); performing at the at least one of the resource 
servers remote authentication of a user by reference to said stored authentication details (column 
3, lines 25-26 and column 6, lines 58-65 and column 7, lines 51-53 and 63-67 and Fig.2B) and 
during said remote authentication step generating the access status data of the user, 
distinguishing said user from other users which are not currently authenticated (column 6, lines 
61-63), and a secret encryption key shared with said user (column 5, lines 61-65); resource 
servers to check an authentication status of said user by using an identifier for the user's client 
terminal received in a service request (column 3, lines 13-16 and column 6, lines 58-65 and 
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column 7, lines 51-53 and 63-67 and Fig.2B); and storing said shared secret key in a data store 
accessible by at least one of said resource servers for use during communications with said user 
(column 5, lines 61-65). 

Levergood et al. does not teach storing in at least one of the resource servers 
authentication details and access status data of authorized users. Kirsch teaches storing in at least 
one of the resource servers authentication details and access status data of authorized users; 
storing said access status data in the at least one of the resource servers to check authentication 
status of said user by using an identifier for the client terminal received in a service request to 
check the stored access status data (column 2, lines 34-37 and 42-46 and column 4, lines 51-54 
and 58-64). Therefore, it would have been obvious to one having ordinary skill in the art at the 
time the invention was made to further modify the Internet server access control and monitoring 
system of Levergood et al. by storing in at least one of the resource servers authentication details 
and access status data of authorized users because this provides added security in a efficient 
manner where the server can verify authentication by comparing client submitted identification 
with the stored access status data of the server. 

Referring to claim 3, Levergood et al. teaches a method according to claim 1, wherein 
said authentication step comprises receiving said identifier from said client terminal with said 
authentication data (column 3, lines 44-47). 

Regarding claim 4, Levergood et al teaches a method according to claim 3, wherein a 
new identifier is issued to said client terminal if said authentication data is invalid (column 5, 
lines 46-49). 
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Referring to claim 8, Levergood et al. teaches a method according to claim 1, comprising 
authenticating said user for access to a plurality of Web servers located in the same Internet 
domain (column 3, lines 66-67); and enabling each of said Web servers to validate document 
requests from the client terminal, which requests include said identifier (column 3, lines 44-45), 
by checking said status data on receipt of a document request (column 6, lines 58-60). 

Referring to claim 10, Levergood et al. teaches a method according to claim 9, wherein 
said remote authenticating step comprises issuing a challenge to the client terminal, receiving a 
response to said challenge, and verifying said response (column 6, lines 45-49 and 58-60). 

Referring to claim 1 1 , Levergood et al. teaches a method according to claim 9, further 
comprising updating said access status data for an authenticated user following said storing step 
(column 7, lines 31-34 and 63-64). 

Regarding claim 13, Levergood et al. teaches a method according to claim 11, wherein 
said updating step is performed in response to access by one of said resource servers to said 
access status data (column 8, lines 52-55). 

Regarding claim 15, Levergood et al. teaches a method according to claim 9, wherein 
said identifier is an IP address of the client terminal (column 1, lines 39-41). 

Referring to claim 16, Levergood et al. teaches a method according to claim 9, wherein 
said authentication step comprises issuing said identifier to the client terminal (column 3, lines 
30-32). 

Regarding claim 17, Levergood et al. teaches a method according to claim 9, wherein 
said access status data is stored in a data store of at least one of said resource servers (column 6, 
lines 61-63 and column 7, lines 31-34). 
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Referring to claim 18, Levergood et al. teaches a method according to claim 9, wherein 
said authentication details include data identifying the rights of access of individual users to one 
or more of said resource servers (column 3, lines 50-52). 

Regarding claim 19, Levergood et al. teaches an authenticating server system adapted to 
perform the method of claim 1 (column 5, lines 48-49 and column 6, lines 58-60). 
3. Claim 5-7, 12, and 14 rejected under 35 U.S.C 103(a) as being unpatentable over US 
Patent No. 5,708,780 to Levergood et al. in view of Kirsch as applied to claiml-4, 8-11,13,15- 
19 above, and further in view of See et al. 

Regarding claim 5, Levergood et al teaches of an identifier (column 1, lines 39-41), and 
the reception of an invalid authenticator from said client terminal (column 7, lines 13-14). 

Levergood et al. does not teach that the identifier contains the number of times an invalid 
authenticator was received. See et al. teaches said identifier comprises data indicating the 
number of times an invalid authenticator has been received from said user's client terminal 
(column 3, lines 23-25). Therefore, it would have been obvious to one having ordinary skill in 
the art at the time the invention was made to further modify the internet server access control and 
monitoring system of Levergood et al. by having the identifier contain the number of times an 
invalid authenticator was received because a user can be denied access if they submit multiple 
invalid authenticators thus providing the system with added security and access control. 

Referring to claim 6, Levergood et al. teaches of an identifier (column 1, lines 39-41), 
and the reception of an invalid authenticator from said client terminal (column 7, lines 13-14). 

Levergood et al. does not teach that the system will not issue identifiers to the user if an 
identifier received from that user shows that a predetermined number of invalid authenticators 
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have been received from the user. See et al. teaches said method comprising issuing no further 
identifier to said client terminal if an identifier received from said user's client terminal indicates 
that a predetermined number of invalid authenticators have been received from said user's client 
terminal (column 6, lines 23-26). Therefore, it would have been obvious to one having ordinary 
skill in the art at the time the invention was made to further modify the internet server access 
control and monitoring system of Levergood et al. by not issuing identifiers to the user if an 
identifier received from that user shows that a predetermined number of invalid authenticators 
have been received from the user because this provides the system with added security and 
access control by not allowing unauthorized users access to server information. 

Regarding claim 7, Levergood et al. teaches of an identifier (column 1, lines 39-41). 

Levergood et al. does not teach of timing out of an identifier. See et al. teaches of timing 
out of said identifier of a terminal of a currently authenticated user if no document request is 
received from said client terminal for a predetermined period (column 7, lines 32-36). Therefore, 
it would have been obvious to one having ordinary skill in the art at the time the invention was 
made to further modify the internet server access control and monitoring system of Levergood et 
al. by timing out an identifier because if a user were to forget to logout of a session another could 
use that workstation to access information that they are not authorized to view and the timing out 
of the identifier lessens the chance of this happening therefore increasing the security of the 
system. 

Referring to claim 12, Levergood et al. teaches of an updating step (column 7, lines 31-34 
and 63-64). 
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Levergood et al. does not teach of the updating step being performed because of a time- 
out. See et al. teaches said updating step is performed in response to a time-out associated with 
said access status data (column 7, lines 32-36 and lines 37-39). Therefore, it would have been 
obvious to one having ordinary skill in the art at the time the invention was made to further 
modify the internet server access control and monitoring system of Levergood et al. by 
performing the updating step because of a time-out because this will give the system up-to-date 
information on the state of the workstation. 

Referring to claim 14, Levergood et al. teaches a method according to claim 12, wherein 
said updating step is performed in response to a request by the client terminal (column 4, lines 1- 



4. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 . 1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 



4). 



Conclusion 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to April L Baugh whose telephone number is 703-305-53 17. The 
examiner can normally be reached on Monday-Friday 8:30am-5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Rupal D Dharia can be reached on 703-305-4003. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is 703-305-3900. 
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